Resource Structure and Inheritance
This lesson briefly introduces how the resources are organized in GCP.
We'll cover the following
Congrats!! Now, you should have a Google Cloud Platform account with a $300 credit for three months. These credits are more than enough to learn all the services in GCP. (If used sparingly.) In this lesson, we will look at the structure in which GCP projects are organized.
This course will cover all the topics given in this exam guide by Google Cloud.
Resource hierarchy#
Google Cloud Platform is designed considering a single organization per GCP account. You can also use GCP without an organization if you are an individual or don’t have a custom domain name email.
Let’s discuss each layer of the hierarchy in detail.
Organization#
Each GCP account can have only one organization node, and the organization is automatically created when you sign in using a custom domain name email that uses Google Workspaces(Earlier G-suite). For example, in the below image, the organization named dockertutorials.in is created automatically.
Sign in using an organization email ID because you can manage which users from your organization are given access to the Google Cloud console and which are not.
There are different ways to create an organization node.
-
The organization automatically gets created if you are using Google Workspaces (G-Suite) to handle your organization’s user email accounts.
-
If you are not using G-Suite, Cloud Identity and Cloud Directory Sync services help you to use the other Active Directory services to manage your Google Cloud account.
By default, new organizations allow anyone to create projects and billing accounts. It is good practice to assign these roles to a user explicitly.
You will learn more about Cloud Directory Sync and Cloud Identity services later. Remember that these services help keep users in the active directory in sync with Google Cloud.
Folders#
The second organizing layer of GCP is folders. Folders are just logical groupings or separations of projects. Folders allow us to map the organizational hierarchy to GCP.
If a team wants to bundle all the projects related to one single product, they can do it using folders. Likewise, folders work for departments and teams also. The folder’s use case is also explained in the above image.
Once all the projects are grouped in the folder, the permissions applied at the folder level are inherited projects and services.
Projects#
Projects are the most fundamental unit of GCP. Any service used in GCP needs to be in a project. You can’t use anything without a project except the IAM and billing, as these are organizational-level services.
IAM(Identity and Access Management): IAM is a service provided by Google Cloud to control users’ access to resources. It defines who can do what on which resource.
We will cover billing accounts in upcoming lessons.
The project is attached to a billing account, and the services/resources are billed at the project level rather than at the organization or folder level. Hence, having at least one project is necessary to use any service in GCP.
Services#
Services are the last units of the hierarchy. Virtual machines, storage, databases, and all other services are bundled under a single project. You can have multiple instances of these services in a single project. These are also called end-level resources.
Examples: VM instance, Storage Bucket.
Inheritance#
In GCP, permissions and roles are critical. If a user is given a Storage Admin role at the organization level, they can create, update or delete storage services in any project.
Similarly, if a user has been granted the Compute Admin role at a folder level, they can create, update, or delete the compute machines or virtual machines in any projects in that folder.
Hence, it is advised to follow the “least permission” principle of GCP, which provides only the minimum permissions to the user to carry out their task.
So, permissions given at a specific level are inherited at the bottom of the hierarchy. Hence, resource permissions are the union of parent permissions and resource permissions.
In GCP IAM, permission to access a resource isn’t granted directly to the end-user. Instead, permissions are grouped into roles, and roles are granted to authenticated members. An IAM policy defines and enforces “what” roles are granted to “which” members. This policy is then attached to a resource. Keep in mind that a less restrictive parent policy can override a more restrictive resource policy.
Let’s understand policy inheritance with an example using Cloud Storage.
In Cloud Storage, buckets and objects are resources, whereas buckets are the containers that hold the objects. An example of using IAM with Cloud Storage is allowing read access to uploaded files.
Consider a scenario where many users upload files to a bucket, but users shouldn’t be able to read or delete any files uploaded by other users.
Your data processing expert should be able to read and delete uploaded files, but they shouldn’t be able to delete buckets because others are using the bucket location to upload their files. In this scenario, you would set policies on the project as follows:
-
Grant the storage Object Admin role to your data processing expert Alice at alice@example.com, for example. Alice has object admin rights at the project level and can read, add, and delete any object in any bucket in the project.
-
Grant the Storage Object Creator to a group of users, data_uploaders@example.com. This policy means that anyone member of data_uploaders@example.com can upload files to the bucket. A group member owns the files they upload, but they can’t read or delete any files other users upload. The following diagram illustrates this.
Rather than giving permissions to the individual buckets, we have given permissions to users at the project level. All the buckets created under that project inherit the same access level of users defined at the project level.
In the next lesson, we will create our first project. There are multiple ways to develop this project, but we will cover the quickest and standard ones. So, time to get your hands dirty with GCP. Open up the GCP console and move to the next lesson.
Getting Started with GCP
Creating Projects: Hands On